Clear passbasics derinmellor

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!1!

Access Management ClearPass Access Management Basics

Derin Mellor 5th June 2013

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!

Network Manager’s Desires!

•  Control who can access what, where and when •  Wired Lockdown •  Profile connecting devices

•  MAC spoofing prevention •  Simple Guest access •  Seamless BYOD •  Posture compliance

•  NAP, Persistent, Dissolvable •  TACACS •  Network audit

CONFIDENTIAL © Copyright 2013. Aruba Networks, Inc. All rights reserved! #airheadsconf!#airheadsconf!

CPPM Operation!


Service Processing!


Services Match!Processed top down – first match!If no match: Reject!

Disabled!

Matched on RADIUS parameters – first packet!

NOTE: EAP type exchanged later RADIUS dialogue!


Simple Corporate Service!

To differentiate between a Machine and User authentication


Corporate 802.1X Authentication!

Assign appropriate role!


Define Basic Wired 802.1XCorporate Service!

Use generic 802.1X Wired template

Service: Match these RADIUS attributes


Define Basic Wired 802.1XCorporate Authentication!

Allows known (Endpoint Repository) and unknown MAC addresses!

PEAP Inner EAP methods MSCHAP, TLS, GTC!

If in [ ] can’t be edited!

TLS details!!!!!!!


Define Basic Wired 802.1XCorporate Enforcement Policy!

NOTE: Roles are not being used!


Testing!

Instant! Instant!

Machine Login! User Login!

Machine power-on

User Login

User Logoff


Guest Access!


Guest Login Sequence!Client NAS CPPM Server

1 Unknown PC connects!

Learns MAC!

MAB Service: Verifies MAC!Device=Unknown!

Assigns role with HTTP !Redirect to CPPM!

2 User Browses!HTTP www.any.com!HTTPS Redir !

to CPPM/guest!

Presents Guest portal!3 User Login!HTTPS Post MAC/User/IP!

PreAuth Service: Checks credentials!HTTPS !Redirect to NAS!

HTTPS CPPM/guest!

Converts to RADIUS Auth!HTTPS Post MAC/User/IP!

Guest Service: Checks credentials!Device:=Known!

RADIUS Req User!

RADIUS Accept !Guest Reg Role!

DHCP Req!

RADIUS Req MAB!

Assigns Guest role!RADIUS Accept!

Guest Role!4 User on as Guest !


Guest Services!

•  Three Guest services 1  Guest/Device who have already logged in

•  Known: MAC Caching •  Unknown: Guest Registration portal

2  PreAuthentication check: Verifies user credentials •  Correct: HTTP Post redirect •  Incorrect: Provides suitable portal page

3  Guest Registration •  RADIUS Request from NAS


MAC Caching - 1!

MAC Authentication!RADIUS Request from NAS!

MAC Authentication”!RADIUS CallingStationID = RADIUS UserName!

Allow known and unknown MAC addresses!


MAC Caching - 2!

Unknown device: Guest Reg portal!

MAC Spoof!

Guest MAC cache!

Contractor MAC cache!


PreAuth Check!

This service checks the HTTP Post user credentials. If correct redirect HTTP Post to NAS. If credentials are in correct sends back suitable error !

Just a RADIUS Allow: Does not cause HTTP Post redirect!


Guest Registration - 1!

RADIUS Request from NAS!Basic RADIUS

Authentication!


Guest Registration - 2!

Guest Session Timeout!Guest Bandwidth Limit!Guest Session Limit – number of allowed devices!Guest MAC Caching – cache device![Update Endpoint Known] – make device known in CPPM’s Endpoint repository!Aruba Guest WiFi profile – assign VLAN!


CPG Configuration!

Enable PreAuth check!

Record MAC address in CPPM!


•  Account creation •  Receptionist, Bulk (Conference),

Sponsored, Self-service •  Infrastructure redirects to guest portal

•  Simple registration process •  Receipt

•  Sponsor confirmation •  Guest notification

•  Web portal, email, SMS •  Totally customizable

Guest Access!


Controlling Guests!


Profiling Devicesand

MAC Spoof Prevention!


Profile Network Devices!•  Most Common Mechanisms

•  Relay DHCP Requests to CPPM •  Login at Guest portal


MAC Spoof Detection!•  Original DHCP Request recorded as genuine

•  DHCP Fingerprint = MAC+Hostname+ DHCP Option fields

•  MAC Spoof Attack: Attempt to get enhanced privileges •  Set PC to another device’s MAC

•  Subsequent DHCP Requests compared with original •  If different CPPM generates a “Conflict”


BYOD!


Enrollment and Provisioning Workflow

Active Directory!Access Network!

ClearPass Policy Manager!

1. Authorize BYOD

enrollment based on AD credentials!

2. Register device type &

ownership!

Provision device private key and

certificate for that user & device!

3. +!

Revoke certificate (and access) for

devices that are lost, stolen or expire!

5. Limited

Access Zone!

4.


Onboard iOS! BYOD - 1!

Install CPPM’s certificate on device


Login

BYOD - 2!

Device uses Profile’s certificates to automatically connects to the

secured SSID using TLS

Device creates private key and pushes CSR to CPPM

CPPM’s CA creates the Cert this is pushed to the device


CPPM Certificate Authority!


Posture Compliance!


Posture Compliance Options!

•  Proactive v Report only •  Agents

•  Microsoft NAP •  Supported from XP SP4 upwards •  Not supported on MAC OSX

•  Persistent Agent •  Continually scans •  Communicates with CPPM on

•  Pulls policy on HTTPS •  Maintains connectivity status in CPPM (TCP6658)

•  Must be installed as a Administrator •  Dissolvable Agent

•  User browses to CPPM captive portal •  Runs once


Typical Scans!

•  OS version/Service packs/Patches •  Firewall running •  Non/Running service/application •  AntiVirus/AntiSpyware operational with up to date

signatures and recently run •  Bridging disabled •  Prevent second interface connection

•  Split tunneling •  Patch management system


Posture Compliance!


Posture Compliance!


Look at Posture Events - 2!


Reports!


Insight Reports!


Licensing!


CPPM Sizing!

Devices (unique MAC addresses) per 24 hours!Size ! !Name! ! ! !MAC ! ! !Profiled!! ! ! ! ! ! ! !addresses !devices!

Small ! !CP-SW-500 ! !500 ! ! !2000!Med ! !CP-SW-5K ! !5000 ! ! !20K!Large ! !CP-SW-25K ! !25K ! ! !100K!!


License Usage!

Guest! ! !Number of guest devices that are connected !! ! ! !over a 24 hour period!

BYOD! ! !Total number of Onboarded devices!OnGuard ! !Total number of OnGuard devices (per week)!Enterprise !Can be any of above!!Averaged over 7 day period!If the Average exceed the license count !Warning in the WebUI!

If exceeds license count for 4 out of 6 months: !WebUI is locked!!System will continue authenticating users!


Simple Designs!


Resilient Guest!

NOTES:!Safely scales to 25K devices!Cluster Traffic: HTTPS, SQL (TCP port 5432) and VIP (TCP port 224.0.0.18)!


MPLS

Large NAC CPPM!

A2 CPPM-25K Subscriber

Data Centre -‐ A Data Centre -‐ B

Remote Sites

NAS RADIUS PriA/BckB

NAS RADIUS PriA/BckB



B2 CPPM25K Subscriber

B3 CPPM-25K Subscriber

B4 CPPM-25K Subscriber

RTR AD AD

A1 CPPM-25K Publisher

B1 CPPM25K Desig-Pub

NOTES:!Safely scales to 75K devices!Pub and Desig-Pub dedicated to mgnt & log!Cluster Traffic: HTTPS, !

!SQL (TCP port 5432)!


Q & A!


Thank You!


Technology

Clear passbasics derinmellor